Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

[PATCH] Keys: Split key permissions checking into a .c file

The attached patch splits key permissions checking out of key-ui.h and
moves it into a .c file. It's quite large and called quite a lot, and
it's about to get bigger with the addition of LSM support for keys...

key_any_permission() is also discarded as it's no longer used.

Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

David Howells and committed by
Linus Torvalds
468ed2b0 f1a9badc

+76 -86
+5 -86
include/linux/key-ui.h
··· 38 38 struct key *keys[0]; 39 39 }; 40 40 41 - 42 41 /* 43 42 * check to see whether permission is granted to use a key in the desired way 44 43 */ 44 + extern int key_task_permission(const key_ref_t key_ref, 45 + struct task_struct *context, 46 + key_perm_t perm); 47 + 45 48 static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) 46 49 { 47 - struct key *key = key_ref_to_ptr(key_ref); 48 - key_perm_t kperm; 49 - 50 - if (is_key_possessed(key_ref)) 51 - kperm = key->perm >> 24; 52 - else if (key->uid == current->fsuid) 53 - kperm = key->perm >> 16; 54 - else if (key->gid != -1 && 55 - key->perm & KEY_GRP_ALL && 56 - in_group_p(key->gid) 57 - ) 58 - kperm = key->perm >> 8; 59 - else 60 - kperm = key->perm; 61 - 62 - kperm = kperm & perm & KEY_ALL; 63 - 64 - return kperm == perm; 65 - } 66 - 67 - /* 68 - * check to see whether permission is granted to use a key in at least one of 69 - * the desired ways 70 - */ 71 - static inline int key_any_permission(const key_ref_t key_ref, key_perm_t perm) 72 - { 73 - struct key *key = key_ref_to_ptr(key_ref); 74 - key_perm_t kperm; 75 - 76 - if (is_key_possessed(key_ref)) 77 - kperm = key->perm >> 24; 78 - else if (key->uid == current->fsuid) 79 - kperm = key->perm >> 16; 80 - else if (key->gid != -1 && 81 - key->perm & KEY_GRP_ALL && 82 - in_group_p(key->gid) 83 - ) 84 - kperm = key->perm >> 8; 85 - else 86 - kperm = key->perm; 87 - 88 - kperm = kperm & perm & KEY_ALL; 89 - 90 - return kperm != 0; 91 - } 92 - 93 - static inline int key_task_groups_search(struct task_struct *tsk, gid_t gid) 94 - { 95 - int ret; 96 - 97 - task_lock(tsk); 98 - ret = groups_search(tsk->group_info, gid); 99 - task_unlock(tsk); 100 - return ret; 101 - } 102 - 103 - static inline int key_task_permission(const key_ref_t key_ref, 104 - struct task_struct *context, 105 - key_perm_t perm) 106 - { 107 - struct key *key = key_ref_to_ptr(key_ref); 108 - key_perm_t kperm; 109 - 110 - if (is_key_possessed(key_ref)) { 111 - kperm = key->perm >> 24; 112 - } 113 - else if (key->uid == context->fsuid) { 114 - kperm = key->perm >> 16; 115 - } 116 - else if (key->gid != -1 && 117 - key->perm & KEY_GRP_ALL && ( 118 - key->gid == context->fsgid || 119 - key_task_groups_search(context, key->gid) 120 - ) 121 - ) { 122 - kperm = key->perm >> 8; 123 - } 124 - else { 125 - kperm = key->perm; 126 - } 127 - 128 - kperm = kperm & perm & KEY_ALL; 129 - 130 - return kperm == perm; 131 - 50 + return key_task_permission(key_ref, current, perm); 132 51 } 133 52 134 53 extern key_ref_t lookup_user_key(struct task_struct *context,
+1
security/keys/Makefile
··· 6 6 key.o \ 7 7 keyring.o \ 8 8 keyctl.o \ 9 + permission.o \ 9 10 process_keys.o \ 10 11 request_key.o \ 11 12 request_key_auth.o \
+70
security/keys/permission.c
··· 1 + /* permission.c: key permission determination 2 + * 3 + * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. 4 + * Written by David Howells (dhowells@redhat.com) 5 + * 6 + * This program is free software; you can redistribute it and/or 7 + * modify it under the terms of the GNU General Public License 8 + * as published by the Free Software Foundation; either version 9 + * 2 of the License, or (at your option) any later version. 10 + */ 11 + 12 + #include <linux/module.h> 13 + #include "internal.h" 14 + 15 + /*****************************************************************************/ 16 + /* 17 + * check to see whether permission is granted to use a key in the desired way, 18 + * but permit the security modules to override 19 + */ 20 + int key_task_permission(const key_ref_t key_ref, 21 + struct task_struct *context, 22 + key_perm_t perm) 23 + { 24 + struct key *key; 25 + key_perm_t kperm; 26 + int ret; 27 + 28 + key = key_ref_to_ptr(key_ref); 29 + 30 + /* use the top 8-bits of permissions for keys the caller possesses */ 31 + if (is_key_possessed(key_ref)) { 32 + kperm = key->perm >> 24; 33 + goto use_these_perms; 34 + } 35 + 36 + /* use the second 8-bits of permissions for keys the caller owns */ 37 + if (key->uid == context->fsuid) { 38 + kperm = key->perm >> 16; 39 + goto use_these_perms; 40 + } 41 + 42 + /* use the third 8-bits of permissions for keys the caller has a group 43 + * membership in common with */ 44 + if (key->gid != -1 && key->perm & KEY_GRP_ALL) { 45 + if (key->gid == context->fsgid) { 46 + kperm = key->perm >> 8; 47 + goto use_these_perms; 48 + } 49 + 50 + task_lock(context); 51 + ret = groups_search(context->group_info, key->gid); 52 + task_unlock(context); 53 + 54 + if (ret) { 55 + kperm = key->perm >> 8; 56 + goto use_these_perms; 57 + } 58 + } 59 + 60 + /* otherwise use the least-significant 8-bits */ 61 + kperm = key->perm; 62 + 63 + use_these_perms: 64 + kperm = kperm & perm & KEY_ALL; 65 + 66 + return kperm == perm; 67 + 68 + } /* end key_task_permission() */ 69 + 70 + EXPORT_SYMBOL(key_task_permission);